Upload
willy
View
216
Download
1
Embed Size (px)
Citation preview
ww.sciencedirect.com
i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7
Available online at w
www.compseconl ine.com/publ icat ions/prodinf .htm
Server-aided signatures verification secure againstcollusion attack
Sherman S.M. Chow a,*, Man Ho Au b, Willy Susilo b
aDepartment of Information Engineering, Chinese University of Hong Kong, Hong KongbUniversity of Wollongong, NSW, Australia
Keywords:
Server-aided computation
Collusion attack
Signatures
Pairings
Delegation
Weak computational device
* Corresponding author.E-mail addresses: [email protected]
1363-4127/$ e see front matter ª 2012 Elsevhttp://dx.doi.org/10.1016/j.istr.2012.10.007
a b s t r a c t
Wireless handheld devices are increasingly popular. The authenticity of the information or
a program to be downloaded is important, especially for business uses. In server-aided
verification (SAV), a substantial part of the verification computation can be offloaded to
an untrusted server. This allows resource-constrained devices to enjoy the security guar-
antees provided by cryptographic schemes, such as pairing-based signatures, which may
be too heavyweight to verify otherwise.
To gain unfair advantage, an adversary may bribe (or collude with) the server either to
convince that an invalid signature is a valid one or to claim that a valid signature is invalid
(say for providing repudiable information/commitment, or spoiling an opponent’s offer).
However, these concerns are not properly captured by existing models.
In this paper, we infer the meaning behind and point out the subtleties in existing
models; and propose a new model to capture the collusion attack. We also show that two
existing schemes are insecure in their own model. Finally, we provide a generic pairing-
based SAV protocol. Compared with the protocol of GiraulteLefranc in Asiacrypt ’05,
ours provides a higher level of security yet applicable to a much wider class of pairing-
based cryptosystems. In particular, it suggests SAV protocols for short signatures in the
standard model and aggregate signatures which have not been studied before.
ª 2012 Elsevier Ltd. All rights reserved.
1. Introduction 1.1. Server-aided computation of pairing
Server-aided computation protocols are protocols in which
a device, also called the client, offloads the computation to
a server. Nowadays, there aremany computation deviceswith
relatively limited power, e.g., smart card, SIM card, RFID tag,
but need to perform cryptographic operations which are both
time and power consuming. Moreover, there may not be
optimized library for the more-advanced cryptographic oper-
ations, such as pairings.
Server-aided computation protocols are particularly useful
since these devices often have access to a more powerful de-
vice which can act as the server.
k (S.S.M. Chow), aau@uoier Ltd. All rights reserve
Bilinear pairing is an enabling technology for constructing
next-generation cryptosystems. On one hand, it allows the
construction of novel cryptographic applications that are dif-
ficult to build based on other primitives, if not impossible. On
the other hand, it also facilitates the construction of some
highly efficient cryptographic solutions which are particularly
appealing for computationally-limited devices. Pairing is
currently instantiated on elliptic curves. The use of elliptic
curves leads to a shorter-representation of the cryptographic
group elements, so many pairing-based schemes can bemade
space-efficient. An ever increasing number of protocols have
w.edu.au (M.H. Au), [email protected] (W. Susilo).d.
i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 47
been appearing in the literature since its introduction. Ex-
amples of the former include identity-based encryption
(Boneh and Franklin, 2003) and attribute-based encryption
(Sahai and Waters, 2005). Examples of the latter include short
signature (Boneh et al., 2004b; Boneh and Boyen, 2008; Zhang
et al., 2004), aggregate signature (Boneh et al., 2003; Lu et al.,
2006) and constant-size broadcast encryption (Boneh et al.,
2005; Delerablee and Kurosawa, 2007), to name a few. Some
of which have a very simple design (e.g., Boneh et al., 2004b;
Boneh et al., 2003) when compared with non-pairing con-
structions. While these schemes may offer high efficiency in
terms of bandwidth or storage requirement, pairing itself is
a relatively heavyweight cryptographic operation. There may
not be optimized library for every platform such as SIM card or
RFID tags. To enjoy the features made possible by cryptog-
raphy, one may resort to a symmetric-key solution instead of
a public-key one (e.g., Chu et al., 2011), or employ tricks such
as precomputation (e.g., Chow et al., 2011). In this paper, we
study the approach of server-aided computation, with focus in
server-aided verification of digital signatures of compact size
which are secure under commonly accepted and black-box
falsifiable assumptions.1
1.2. Batched verification and signature aggregation
Under certain circumstances, conducting computation in
batch rather than individually yields better efficiency. In
Bellare et al. (1998), the concept of batch verification of sig-
natures was first studied. The verifier is assured that all sig-
natures in the batch are valid, yet the verification of many
signatures from the same signer can be sped up by conducting
the verification of equality of modular exponentiations in
batch. Regarding batch verification of pairing-based schemes,
Camenisch et al. (2007) studied batch verification of some
pairing-based short signatures frompossibly different signers,
based on the algebraic property of pairing. Ferrara et al. (2009)
studied batch verification of many more pairing-based short
signatures, which include standard short signatures (Boneh
et al., 2004b; Camenisch et al., 2007), aggregate signatures
(Boneh et al., 2003; Shao et al., 2005; Lu et al., 2006), group
signatures (Boneh et al., 2004a, Boneh and Shacham, 2004),
ring signatures (Boyen, 2007), identity-based signatures (Hess
et al., 2002; Cha and Cheon, 2003; Waters, 2005), and identity-
based ring signatures (Chow et al., 2005).
While batch verification aims at saving computational
overhead, aggregated signatures (Boneh et al., 2003) allow the
saving of bandwidth by compressing of a list of signatures
from possibly different signers and on different messages into
a single signature. The construction in Boneh et al. (2003) is
pairing-based.
1.3. Collusion attack
Server-aided computation of cryptographic operations should
not introduce new vulnerabilities to the application. This is
true if the server is fully-trusted and there exists a secure
1 We remark that there are signature schemes (e.g., Camenischand Lysyanskaya, 2004) which rely on interactive and thus non-black-box falsifiable assumption, such as LRSW assumption.
channel between the server and the client. In this case the
client can simply offload the computation to the server. Un-
fortunately, this trust assumption is not realistic. In reality,
the client could be facing a malicious server, or the client
cannot establish an authenticated connection with a trusted
server easily. (Authenticated connection can be established by
cryptographic means, which leads to a chicken-and-egg situ-
ation.) Moreover, concernswith confidentiality arise when the
operation involves some private information from the client
(e.g., decryption or signing which uses the client’s private key)
or when the operation result gives the basis for the client to
make a decision whether the integrity of some information
(e.g., via digital signature) has been tampered or not.
1.4. Existing work
In the work of Girault et al. (2005), some security requirements
of server-aided verification are formalized. Two existing pro-
tocols are then analysed in their model, and a new one for
a limited class of pairing-based signature schemes has been
introduced (specifically, schemes where the verification re-
quires only comparisons against a fixed element beðg; gÞÞ. Intheir model, a malicious server is not allowed to collude with
the signer. In particular, the security of the protocol relies on
the fact that the malicious server is not given any valid sig-
nature on that message. Subsequently, Wu et al. (2008, 2011)
proposed a SAV protocol for BoneheLynneShacham sig-
nature (Boneh et al., 2004b) since it is not covered in the pre-
vious semi-generic construction. Wu et al. also observed that
the securitymodel of Girault and Lefranc (2005) does not allow
an adversary to interact with the client via the aided ver-
ification protocol, and consequently devised an attack of their
protocol by exploiting this weakness. However, this attack
actually assumes the server to be deviated from the specifi-
cation of the aided verification protocol, which is different
from the models considered in Girault et al. (2005), Wu et al.
(2008, 2011). On the other hand, Wu et al. (2008, 2011) pro-
posed a security model aimed to capture the collusion of the
signer with the server. Recently, Wang et al. (2010) criticized
the model of Wu et al. (2008, 2011) and proposed a new one.
We found that these two models may not model the collusion
attack well. In particular, they do not consider an attacker,
who possesses the private key of the signer, colludes with the
server for convincing the client to accept a maliciously gen-
erated invalid signature. We will critically review the defini-
tions given by Wu et al. (2008, 2011) in Section 3, and discuss
the subtleties in themodelling of collusion attack in Section 4.
1.5. Our contribution
Security model is meant to capture all possible attacks in re-
ality. It is thus important to infer the intuition of a model. We
point out the meaning behind and the subtleties in existing
models; and propose a new security model to capture the
collusion attack. We also show that an existing scheme of Wu
et al. (2008) is insecure in their own model. This is not just
a theoretical concern or an artefact in the security proof. The
attacks can be easily launched in practice. Finally, we provide
a generic construction of SAV. Compared with the SAV pro-
tocol of Girault and Lefranc, ours provides a higher level of
i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 748
security yet can be applied on a much wider class of pairing-
based cryptosystems. In particular, it suggests SAV protocols
for short signatures in the standard model and aggregate
signatures which have not been studied before.
Roadmap In Section 2, we review the framework of server-
aided signatures verification and the cryptographic primitive
involved in this paper. We will also give a concise review of
three short signature schemes and an aggregate signature
scheme in the same section. Our results are presented after
this section. The model and the schemes of Wu et al. (2008,
2011) will be analysed in Section 3. We present our new se-
curity model for signature with server-aided verification pro-
tocol in Section 4, followed by a generic construction of
pairing-based SAV protocol and two classes of concrete in-
stantiations in Section 5. Finally, Section 6 concludes our
paper and identifies future research direction.
2. Preliminaries
2.1. Notations
We explain some notations used in the rest of this paper. We
use ha0;a1;.;ani to denote the set of positive integers. For
a finite set S, x˛RS means choosing an element x uniformly at
random from S. For algorithms A1 and A2, we use out )$
to
denote that out is the result of running A1 on input in, and
out1)A1ðin1Þ4A2ðin2Þ to denote that out1 is the final output of
algorithm A1 with local input in1 after interacting with algo-
rithm A2 with local input in2.
2 Obviously, l here should be the same as that used in Setup;otherwise, mismatch of expected and actual security level mayresult, not to say operational error like overflow.
2.2. Framework for server-aided verification ofsignatures
We first review two existing definitions, then give our
refinement.
Definition 1. A signature scheme is defined by the following
quadruple of algorithms:
� Setup(1l): an initializer probabilistically generates the system
parameter Param according to a security parameter 1l,where l is
a positive integer. Param will be part of the input of the other
algorithms, and will be omitted for brevity.
� KeyGen(): a signer uses this probabilistic algorithm to generate
a private/public key pair (sk,pk). Amessage space and a signature
space should be implicitly defined by pk.
� Sign(sk,m): a signer uses this possibly probabilistic algorithm to
output a signature s by taking the input of a signing key sk and
a message m.
� Verify(pk,s,m). Anyone can use this usually deterministic ver-
ification algorithm which takes the input of a public key pk,
a signature s and a message m. It outputs 1 iff s is a valid sig-
nature on m under pk, 0 otherwise.
Correctness of a signature scheme requires that for all l˛N, all
Param given by Setup(1l) and all ðsk;pkÞ given by KeyGen(), the
equation Verify(pk,Sign(sk,m),m)¼ 1 holds with probability 1 for all
message m in the message space.
Definition 2. A signature scheme (Setup,KeyGen,Sign, Verify) with
server-aided verification is one equipped with a VStetup algorithm
and an AidedVerify protocol.
� VStetup is a probabilistic algorithm executed by a verifier which
takes a security parameter 1l and outputs some verification
parameter VString.2
� AidedVerify is an interactive protocol between a verifier and
a server. The input of the verifier includes VString generated by
VStetup, a message/signature pair (m,s) obtained from a signer
and the public key pk of the signer. As a result of the protocol, the
verifier outputs 1 iff s is a valid signature on m under pk, 0 iff sis
an invalid signature, or t when the server “cheats”. The server
has no local output. We give a more fine-grained definition
regarding VStetup and AidedVerify.
Definition 3. Our definition of algorithms for server-aided ver-
ification are refined as below.
1. VString can be partitioned into private/public verification pa-
rameters ðs;GÞ, i.e., ðs;GÞ )$ .
2. AidedVerify is split into a pair of interacting multi-stage algo-
rithms AidedVerifyc and AidedVerifys, which denotes the
respective part of the AidedVerify protocol executed by a client
and a server.
Concretely, the first stage of AidedVerifyc takes m;s;pk; and
ðs;GÞ as an input, generates some state information state and
a protocol flow fc to the server; and the final stage takes state
together with a protocol flow fsfrom the server, and outputs either 1,
0, or t. On the other hand, AidedVerifys simply takes fc (and pos-
sibly G) as the input and outputs fs.
Definition 4. Correctness of a signature scheme with server-aided
verification requires that for all l˛N, all Param given by
Setup(1l), all (sk,pk) given by KeyGen(), and all VString given
by VStetup(1l), we have Verify(pk,s,m) AidedVerifycðm�; s�;pk;VStringÞ4AidedVerifysðGÞ holds for all m in the message space
and s in the signature space.
2.3. Existential unforgeability
The work of Wu et al. (2008, 2011) gives two security defi-
nition. The first one is an extension of the existential unfor-
geability against adaptive chosen message attack of
a standard signature scheme. Below gives our definition of
unforgeability that will be used throughout this paper. This is
based on the definition of Wu et al. with adjustments to be
elaborated.
Definition 5. A server-aided verification of signatures protocol is
ðt; qs;qvÞ-existentially unforgeable under adaptive chosen message
and verification attacks (EUF-CMVA) if for all probabilistic polyno-
mial time adversary A which runs within time t wins the following
game with negligible probability in a security parameter l.
i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 49
Setup. The challenger C runs the algorithms Setup, KeyGen and
VStetup to obtain the system parameter Param, a key pair (sk,pk) and
the verification private/public parameterVString ¼ ðs;GÞrespectively.The adversaryA is given Param, pk andG,while s and sk arewithheld
fromA.
Query. A can adaptively make at most qs OSign queries and at
most qv OAidedVer queries.
� In an OSign query,A supplies a message m. C puts m into a setMand responses with Sign(sk,m).
� In an OAidedVerquery, A starts by supplying a message/sig-
nature pair (m,s)to C. C then initiates the AidedVerifyprotocol as
a client, and the adversary A responses as the server.
Output. A outputs a message/signature pair (m*,s*) to C. A is
considered to win the game if m�;M and 1)AidedVerifycðm�;s�;pk; ðs;GÞÞ4AidedVerifysðGÞ.
2.3.1. ImplicationA difference from the security definition for standard digital
signatures is the additional OAidedVer oracle. The OAidedVer-
query issued by the adversary A is in the form of a message/
signature pair (m,s), which C responds by initiating the Aided-
Verify protocol as a client according to this (m,s). This ensures
that runningAidedVerify protocol many times would not harm
the client. For example, some secret may be used in the gen-
eration of verification parameter VString, and some partial in-
formationof this secretwhich is useful to fool the clientmaybe
leaked via the AidedVerify protocol.
2.3.2. Difference from the previous definitionsTheOAidedVeroracle is not consideredbyGirault et al. (2005). It
was first considered in the definition of Wu et al. (2008, 2011).
Apart from the adjustments regarding the division of private
and public components of verification parameters, wemake it
clear that thewinningconditionof theadversary isbasedonan
honest execution of the AidedVerify protocol, to capture the
basic unforgeability notion of a SAV scheme. It is weaker than
a definition based on any adversarial execution aided ver-
ification, i.e., 1)AidedVerifycðm�;s�;pk;VStringÞ4AðGÞ. We
choose to leave this to the definition of soundness inDefinition
8 to be described in Section 4.
2.4. Review of pairing and pairing-based signatureschemes
Table 1 e Concise review of selected pairing-basedsignature schemes.
Schemes Setup KeyGen
BLS H0 : f0; 1g�/G pk ¼ gx
ZSS H1 : f0; 1g�/Zp pk ¼ gx
BB H1 : f0; 1g�/Zp ðpkX;pkYÞ ¼ ðgx; gyÞBGLS H0 : f0; 1g�/G pki ¼ gxi
Schemes Sign Verify
BLS s ¼ H0(m)x beðg; sÞ¼? beðpk;H0ðmÞÞZSS s ¼ g1=ðH1ðmÞþxÞ beðg; gÞ¼? beðs; gH1ðmÞ$pkÞBB ðs1; s2Þ ¼ ðg1=H1ðmÞþxþyr; rÞ beðg; gÞ¼? beðs1; gH1ðmÞ$pkX$pk
s2Y Þ
BGLS si ¼ H0ðmiÞxi s ¼Yki¼1
si beðg; sÞ¼? Yki¼1
beðpki;H0ðmiÞÞ
Definition 6. Let G and GTbe two multiplicative cyclic groups both
of prime order p. Suppose g is a generator of G. A mapbe : G�G/GT is a pairing if it satisfies the following properties:
� (Bilinearity.) beðux; vyÞ ¼ beðu;vÞxy for all u;v˛G and x; y˛Zp.
� (Non-degeneracy.) beðg; gÞs1, where 1 is the identity element in
GT.
� (Computability.) beðu;vÞ can be computed in polynomial time for
all u; v˛G. We denote ðG;GT; g; p; beÞ by ParamBDH.
For simplicity of the presentation, this paper uses sym-
metric pairing. It should be noted that in order to instantiate
the schemes efficiently, a certain kind of asymmetric pairing
should be used for fast hashing to the group, short group
representations, etc. One may refer to the respective original
papers (Boneh et al., 2004b, 2003; Zhang et al., 2004; Boneh and
Boyen, 2008; Lu et al., 2006) for details.
Table 1 gives a concise review of a few selected short sig-
nature schemes and an aggregate signature scheme. We omit
ParamBDHwhich is used in all the schemes. All functions
chosen in the Setup are cryptographic hash functions which
map arbitrary bit-strings to G and Zp respectively. These
functions will be modelled as random oracles in the security
proofs of the corresponding schemes, except BB. The private
signing key is a random element x˛RZp; any additional com-
ponent which may be required is denoted by y˛RZp. We use
BLS, ZSS, BB and BGLS to denote the scheme in Boneh et al.
(2004b), Zhang et al. (2004), Boneh and Boyen (2008) and
Boneh et al. (2003) respectively. BB is provably secure in the
standard model.
3. Analysis of the model and the schemes ofWu et al.
3.1. Soundness of aided verification for a random invalidsignature
Definition 7. (Wu et al., 2008, 2011). A server-aided verification
protocol is (t,qv)-sound against adaptive chosen verification attacks
under collusion if for all probabilistic polynomial time adversary Awhich runs within time t wins the following game with negligible
probability in a security parameter l.
Setup. The challenger C runs the algorithms Setup, KeyGen and
VStetup to obtain the system parameter Param, a key pair (sk,pk)
and the verification parameter VString respectively. The adversary
A is given Param and (sk,pk). VStringis withheld from A.
Query. A can adaptively make at most qvOAidedVer queries,
defined as in Definition 5.
Output. A outputs a message m*. C then chooses a random
invalid signature s*as a response to A (i.e., A can see s*). We say Awins the game if we have AidedVerifyðA; Cðm� ;s� ;pk;VStringÞÞ ¼ 1.
3.1.1. ImplicationFor ease of understanding, we first contrast the above defi-
nition from Definition 5. To model the collusion with the
signer, the adversary is equippedwith sk (and hence theOSign
oracle is no longer useful to the adversary).
Fig. 1 e Wu et al.’s basic protocol (protocol I).
i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 750
We make the following three comments on this definition.
1. A random invalid signature s*is chosen by the challenger C.Whether the adversary A succeeds or not depends on this
invalid signature. Perhaps this definition can capture
a special possible case that the transmission error of a sig-
nature results in a uniformly random invalid signature,
however, we believe there is a more direct or intuitive
definition regarding soundness. As suggested in Wu et al.
(2008, 2011), Wu et al. failed to prove their schemes with
respect to a model stronger than this.
2. The challenger C needs to tell the adversary A what is the
invalid signature s* in question. This models the server’s
knowledge of the signature that a verifier holds. Practically,
it is not difficult for the adversary to do so. For example,
immediately after the adversary sent the “signature” to the
client, it can either impersonate the server which is within
the reachable network of the client, or instruct the collud-
ing servers to act accordingly.
3. For Definition 7, it is unclear to us if the condition3
AidedVerifyðA; Cðm� ;s� ;pk;VStringÞÞis suggesting that A is follow-
ing the specification of AidedVerify or not. Since the attack
against Girault et al. (2005) in Wu et al. (2008, 2011) requires
the malicious server to deviate from the protocol specifi-
cation, we assume their securitymodel does not restrict the
behaviour of the server.
3.2. Constructions
Wu et al. (2008, 2011) proposed two protocols, both are for BLS(Boneh et al., 2004b). These protocols are reviewed in Figs. 1
and 2.
In Wu et al. (2008, 2011), there are theorems claiming that
protocol I is existentially unforgeable and protocol II is both
existentially unforgeable and sound.
3.3. Soundness attack of protocol I
We start by showing a weakness of the protocol I (depicted in
Fig. 1) proposed by Wu et al. (2008, 2011) when the signer is
colluding with the server. We remark that it was only claimed
to have soundness when the adversary does not have the
signer’s private key. The attack tries to convince the verifier
that an invalid signature can pass the verification algorithm
under signer U’s public key. The server needs to know the
associated message, which is some information that the
signer can easily share with the colluding server. In addition,
the server needs to communicate with the signer. However,
the server does not need to identify the corresponding sig-
nature the verifier holds. For any messagem, and any random
invalid (with respect tom) signature s˛RG, our attack proceeds
as below.
1. The verifier sends (s,R) to the server as the first flow of the
AidedVerify protocol.
2. The server forwards (s,R) to the signer.
3 This is directly quoted from Wu et al. (2008, 2011) and is notconsistent with our notation used in Definition 2.
3. The signer then computes K1 ¼ beðH0ðmÞ;RÞx and sends it to
the server. Note that Definition 7 requires the adversary to
announce the message m, so it is known to the malicious
server.
4. The server simply forwards K1 to the verifier as the second
flow of the AidedVerify protocol.
It is easy to verify that the attack works by the bilinearity.
The signer has not leaked the signature H0(m)x to anyone
including the server. This matches with the underlying trust
assumption in Girault et al. (2005) and Wu et al. (2008, 2011)
that the server does not know any valid signature of the
message when it tries to use AidedVerify protocol to convince
the verifier.
One may wonder if it is a trivial attack as any adversary
knowing a private key can obviously convince a verifier. A
crucial point to note is that, while the verifier was convinced,
the signature he/she is holding is actually invalid and hence
not binding to the signer at all. It is similar to the security
concern in undeniable signature (e.g., Chaum and Antwerpen,
1989; Laguillaumie and Vergnaud, 2005) or confirmer sig-
nature (e.g., Chaum and Santis, 1994; Chow and Haralambiev,
2011).
The client is only in possession of K1 ¼ beðH0ðmÞx; grÞ, which
can be computed by beðH0ðmÞr; gxÞ without the signer’s private
key x. To implicate the involvement of the signer, one may
imagine that r can be chosen by a fourth party other than the
verifier, the signer and the server, such that the verifier only
knows R ¼ gr but not r. Based on the assumption that
K1 ¼ beðH0ðmÞx; grÞ is difficult to be computed from R ¼ gr, the
public key gx and H0(m), the signer must have “participated”.
Fig. 2 e Wu et al.’s protocol with soundness (protocol II).
i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 51
However, it is just a pathological case. First, a signature should
be publicly verifiable. Second, this fourth party can simply ask
for the signature from the client instead of using this con-
trived way to get convinced. To conclude, K1 cannot be seen as
something that binds the signer to the message.
3.4. Soundness attack of protocol II
Now we present our attack against the second protocol
(depicted in Fig. 2) proposed by Wu et al. (2008, 2011). In this
attack, the “signer” does not need to use his/her private
signing key at all. but the collusion group can convince
a verifier about the validity of signatures on anymessage from
anyone. Simply put, the adversary can perform a universal
forgery. This attack requires the server has some hint about
what is the (hidden) signature that a verifier holds, which is
doable in practice as we have argued before.
In essence, our attack recovers gr since a malicious signer
knows s and a colluding server receives s0 ¼ s$gr from the
client. The client can be easily fooled by (K2,K3) such that K2 ¼K3$beðg; grÞ holds. For any message m, and any random invalid
(with respect tom) signature s˛RG, the details of our attack are
as follow.
1. The client initiates the AidedVerify protocol and sends
s0 ¼ s$gr to the server.
2. Themalicious server, knowing the s in question, recovers gr
by s0/s.
3. The server randomly picks K3˛RGT, computes
K2 ¼ K3$beðg; grÞ, and returns (K2,K3) to the client.
The last step ofAidedVerify to be executed by the client is to
conclude that s is valid if K2 ¼ K3$Kr1. However, s is invalid. The
correctness of our attack thus follows.
3.5. Correctness attack
Reminiscent of the correctness requirement of a signature
scheme, a SAVprotocol should be correct, i.e., a valid signature
must pass theAidedVerifyprotocol. However, nothing regarding
this is said inWuetal. (2008, 2011).Actually, it is easy tosee that
a malicious server can falsely claim that a valid signature is
invalid with overwhelming probability, by returning random
elements to the verifier. There is no mechanism in their pro-
tocols for the verifier to detect such behaviour.
4. Our definition for the security of server-aided verification
We note the following subtleties in the modelling of collusion
which are unclear in the previous work (Wu et al., 2008, 2011;
Wang et al., 2010).
1. AidedVerify (specifically, AidedVerifyS) is honestly executed
(by the server) or not?
The definition used in Wu et al. (2008, 2011), Wang et al.
(2010) seem to be suggesting an honest execution since the
original algorithm is used in the definition. However, the
attack in the respective paper is assuming otherwise, in which
the server simply ignores what is being sent by the client but
just computes something that can fool the client. The com-
putation involved surely does not match with the original
specification of AidedVerify protocol.
2. The secret information used in generating the verification
parameter VString is public or not?
The framework of Wu et al. (2008, 2011), Wang et al. (2010)
simply puts both the secret random coin and any public string
derived from it into the definition of VString. The security
model in Wu et al. (2008, 2011), Wang et al. (2010) withholds
the whole VString from the adversary. On the other hand, the
security proof given in Wang et al. (2010) regarding the secu-
rity of protocol I in Wu et al. (2008, 2011) actually gives the
whole VString, including the random choices made by the
verifier, to the adversary.
We remark that it is unclear to us how the soundness can
hold in the latter setting since the client is only protected by
his/her secret choice in principle.
3. The signature (forgery), which determines the success/
failure of the adversary, is randomly chosen or adversa-
rially chosen?
In Wu et al. (2008, 2011), the forgery s* is a random invalid
signature chosen by the challenger. The possibility that an
adversary may tailor-make a forgery to fool the client is not
modelled. In Wang et al. (2010), the forgery s* is chosen by the
adversary, yet it should be “according” (directly quoted from
Wang et al. (2010)) to a private/public key pair ðskf ;pkf Þ that isdifferent from ðsk;pkÞ. This again restricts the flexibility of the
adversary to tailor-make a forgery.
4. What is the goal of the adversary?
As motivated in Section 1, the adversary may benefit not
only when an invalid signature is falsely-claimed as a valid
one, it may also benefit from claiming a valid signature as
invalid. The security definitions inWu et al. (2008, 2011),Wang
et al. (2010) have no requirement about this.
4.1. Soundness against collusion
We propose a better model of the security of a SAV scheme
against collusion between the server and the signer by
addressing all the above subtleties.
Definition 8. A server-aided verification protocol is (t,qv)-sound
against adaptive chosen verification attacks under collusion if for all
probabilistic polynomial time adversary A which runs within time t
wins the following game with negligible probability in a security
parameter l.
Setup. The challenger C runs the algorithms Setup, KeyGen and
VStetup to obtain the systemparameter Param, a key pair (sk,pk) and
the private/public verification parameterVString ¼ ðs;GÞrespectively.The adversary A is given Param, (sk,pk) and G, but not s.
Query. A can adaptively make at most qvOAidedVer queries, as
defined in Definition 5. A can maintain some state information state
throughout all these queries.
i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 752
Output. With state, A outputs a message m* and a signature s*
to C. Let b0)Verifyðpk;s�;m�Þ and b1)AidedVerifycðm�;s�;pk;VStringÞ4AðstateÞ. We say that A wins if b0sb1^b1st.
An alternative definition can be given by assigning
b1)AidedVerifycðm�;s�;pk;VStringÞ4AidedVerifysðGÞ instead.
It is equivalent to the above definition by the correctness of
a SAV protocol (Definition 4).
4.2. Existential unforgeability
For existential unforgeability, EUF-CMVA (Definition 5) is
sufficient. It is proven in Wu et al. (2008, 2011) that if a SAV
protocol is secure EUF-CMVA, it is also a secure signature
scheme in the usual sense, i.e., existentially unforgeable
against adaptive chosenmessage attack. The reason behind is
easy to see. Suppose the underlying scheme is insecure, any
forgery, which is a valid signature, should pass an honest
execution of AidedVerify by the correctness of a SAV protocol.
So this is also a forgery which breaks EUF-CMVA of SAV, and
hence the SAV protocol cannot be secure.
SinceEUF-CMVAisdefinedbaseduponanhonest execution
ofAidedVerify, it isnotdifficult toderiveastronger resultbelow.
Theorem 1. A (correct) SAV protocol is EUF-CMVA (in the sense of
Definition 5) if and only if it is also a secure signature scheme in the
usual sense, i.e., existentially unforgeable against adaptive chosen
message attack.
Next, we explore a stronger version of EUF-CMVA, such
that the adversary is considered to have produced a valid
forgery if the client get convinced from the AidedVerifyc pro-
tocol, which may run in an adversarial manner not according
to the original protocol specification. With our definition of
soundness, we have the following result.
Theorem 2. If a sound SAV protocol is EUF-CMVA-secure with
respect to an honest execution AidedVerifys, then it is EUF-CMVA-
secure with respect to an adversarial execution of verification
which deviates from AidedVerifys.
Proof. Assume to the contrary that there exists an ad-
versary A which can produce a signature s* such that
1)AidedVerifycðm�;s�;pk;VStringÞ4AðÞ. s is either a valid
signature or an invalid signature. For the former case, it breaks
EUF-CMVA-security. If it is an invalid signature, it breaks the
soundness of the protocol.
5. Our solution
In this section, we present our generic SAV protocol which is
applicable to a large class of pairing-based signatures. As
Girault et al. (2005), we assume for simplicity that the result of
the verification involves checking a predicate at the end.
Verification algorithm in these existing schemes either fits
with this assumption or can be replaced by a corresponding
equivalent algorithm.
The basic idea of our protocol is similar to the generic
protocol of Girault et al. (2005). Let f be a scheme-specific
public function which takes (Param, pk, m, s) as input,
where Param is the systemparameter, pk is the signer’s public
key, mis the message and s is the signature. Their protocol
assumes the predicate is in the form of beðg; gÞ ¼ beðs0; fðParam;pk;m; rÞÞ, where s ¼ (s
0,r), s
0is the group element in s
and r is the other part of the signature, if any. Hence the
application is rather limited, e.g., it cannot be applied on
schemes (Boneh et al., 2004b, 2003) which involve predicates
not based on beðg; gÞ In contrast, the predicate supported by our
scheme is based on the comparisons between elements in GT
or products of them. This generalizes the predicate class of
Girault et al. (2005) and effectively covers nearly all pairing-
based verification algorithms, in particular, all signature
schemes (Boneh et al., 2004a,b, 2003; Boneh and Shacham,
2004; Boyen, 2007; Camenisch et al., 2007; Cha and Cheon,
2003; Chow et al., 2005; Hess et al., 2002; Lu et al., 2006; Shao
et al., 2005; Waters, 2005) studied in Ferrara et al. (2009); and
other pairing-based cryptographic schemes such as authen-
tication for cloud environment (e.g., Chow et al., 2012a,b),
k-times anonymous authentication (e.g., Au et al., 2013), and
ciphertext validity verification in certificateless encryption
(e.g., Chow et al., 2006, 2008) and identity-based encryption
(e.g., Chow, 2010).
5.1. Our generic protocol
We first establish some notations. Let F be a scheme-specific
function which takes (Param, pk,m, s) as input and let F agg be
a function that is specific to an aggregate signature scheme
which takes Param, {pki}, {mi}, s as input. In the basic form, the
output of F or F agg only consists of a set of group-G elements
fCigi˛½1;n�for a positive integer n. A more general definition F0 orF0
agg allows the output to be pairs of a group-G element and
an exponent in Zp, fðCi;viÞgi˛½1;n�. Let V be a predicate in
the form ofQ
ði;jÞ˛XbeðCi;CjÞ¼?Q
ðk;lÞ˛YbeðCk;ClÞ for some subsets
X ;Y4f1;/; ng � f1;/; ng. Similarly, corresponding to the
more general definition F0 or F0agg, let V0 be a predicate in the
form ofQ
ði;jÞ˛XbeðCvii ;C
vjj Þ¼
? Qðk;lÞ˛YbeðCvk
k ;Cvll Þ for some subsets
X ;Y4f1;/; ng � f1;/; ng.We reduce the task of server-aided verification to the task
of “secure” delegation of pairing computation. Let S be
a secure pairing delegation protocol to be described in details.
The framework of our generic protocol is given below.
1. The verifier runs the pre-computation phase of S, possibly
with the knowledge of a (set of) public key.
2. After receiving a (set of) message, a signature and a (set of)
public key, the verifier executes F0 (or F0agg) to obtain
fðCi;viÞgi˛½1;n� for F0 (or F0agg).
In case the predicate used for verification does not involve
fvigi˛½1;n�, F (or F agg) will be executed instead.
3. The verifier engageswith the server in the request-response
phase of S to ask for the values of beðCi;CjÞ, beðCk;ClÞ where
ði; jÞ˛X ; ðk; lÞ˛Y according to the predicate V or V0.4. The verifier runs the verification phase of S to ensure the
pairing are computed correctly.
5. The verifier finally checks if the predicate is true according
to the values obtained in the output phase ofS, which gives
verification result of the signature.
i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 53
5.2. Pairing delegation protocols
The key element of our SAV protocol is pairing delegation S,
which is introduced in Chevallier-Mames et al. (2010). Below
we adopt slightly the definition from Tsang et al. (2007).
Hereinafter, the term “point” refers to a group G element.
Definition 9. A pairing delegation protocol is a two-move inter-
active protocol between a client (delegator) and a server (delegatee)
consists of five phases e pre-computation, request, response, ver-
ification and output.
1. Pre-computation phase: the client performs local computation
taking the system parameter and possibly one of the points A, B as
the input. The system parameter includes the bilinear map con-
text ðG;GT; g; p; beÞ.2. Request phase: the client sends a message to the server based on
the output of the pre-computation phase. In case that one of the
points is not used in the pre-computation phase, The message to
be sent should be further processed with the knowledge of any
points which are not used in the pre-computation phase.
3. Response phase: the server sends a message to the client. The
input of the server includes the system parameter and the mes-
sage from the client in the request phase.
4. Verification phase: the client verifies the message from the server
based on the output of the pre-computation phase. It halts and
output t if the check fails.
5. Output phase: the client outputs a GT element beðA;BÞ and the
server has no local output.
To our knowledge, the studies of pairing delegation pro-
tocols in the literature include Chevallier-Mames et al. (2010),
Kang et al. (2005), Tsang et al. (2007). Only the protocols in
Tsang et al. (2007) consider batch delegation.
Definition 10. (Tsang et al., 2007). Batch pairing delegation pro-
tocol is an interactive protocol between a client (delegator) and
a server (delegatee). The input of the client consists of a set of points
A; fBigi˛½1;n�˛Gfor a positive integer n. As a result of the protocol, the
client outputs a set ofGT elements fbeðA;BiÞgi˛½1;n� and the server has
no local output.
The first reason we turn our attention to the batch pairing
delegation protocol is that, the definitions of soundness in
Chevallier-Mames et al. (2010), Kang et al. (2005) do not specify
whether A and/or B are known to the adversary (themalicious
server in our context). Indeed, none of the protocols in Kang
et al. (2005) is designed for the case which both of the two
input points are public. This is important in SAV since the
input of the verification algorithm is by definition public (also
recall that the adversary in our adversarial model is equipped
with the message, the signature, the system parameters, etc.)
It is simply not suitable for our purpose if the security of the
protocols relies on the fact that the adversary does not know
the input of the predicate. Moreover, it has been suggested
(Tsang et al., 2007) that there exists a delegation protocol that
is secure if and only if A is private from a simplification of an
existing protocol (Kang et al., 2005). Finally, the protocol for
public points in Tsang et al. (2007) is more efficient than that
its counterpart in Chevallier-Mames et al. (2010). For these
reasons, we choose to instantiate S with the protocol PVPC
(an acronym for “Public Variable and Public Constant”) (Tsang
et al., 2007) which we review below.
� Pre-computation. The client first picks a generator Q˛G and
a random exponent rQ˛RZp; then computes ~Q ¼ QrQ andbeðA; ~QÞ ¼ beðA;QÞrQ .
� Request. The client sends to the server hA;B0 ¼ ~Q$Qn
i¼1Bbii ;
B1;.;Bni, where bi˛RZp.
� Response.Theserver sends ha0;a1;.;ani,whereai ¼ beðA;BiÞ.� Output. The client verifies if ai˛GT for i ¼ 0 to n and beðA; ~QÞ,Qn
i¼1abii ¼ a0 all hold. If so, outputs {ai}, t otherwise.
Limitations. A more flexible type of pairing delegation pro-
tocol is PVPV (an acronym for “Public Variable and Public
Variable”) which is not available to the best of our knowledge.
The other limitation is that the knowledge of the point A is
required in the above PVPC protocol. We remark that there
exists non-batch PVPC protocol which does not require the
knowledge of the constant A in the precomputation stage
(Chevallier-Mames et al., 2010).
5.3. Our construction of SAV protocol for shortsignatures
Following our generic protocol, we define function FBLSand predicate VBLS to build a SAV protocol for Bone-
heLynneShacham signature (Boneh et al., 2004b), with the
notation in Table 1.
� Function FBLS : ðParam;pk;m;sÞ1ðg; s;pk;H0ðmÞÞ.� Predicate VBLS : beðC1;C2Þ¼? beðC3;C4Þ with C1 ¼ g, C2 ¼ s,
C3 ¼ pk, C4 ¼ H0(m).
The verifier engages in the pairing delegation protocol S
with the server and obtains the two pairing values a0 ¼ beðg;sÞand a1 ¼ beðpk;H0ðmÞÞ. Finally, the verifier checks if the predi-
cate is true, that is, whether a0¼? a1.
Since the pairing delegation protocol S we employ is
capable of delegating pairing computations in batch, the
verifier can offload the verification of many signatures from
the same signer to further reduce the computation overhead.
Specifically, the verifier can delegate the computation of fa0i ¼beðg;siÞg and fa1i ¼ beðpk;H0ðmiÞÞg in batch.
Unfortunately, using a PVPC protocol instead of a PVPV
protocol, the pairing of beðC1;C2Þ and beðC3;C4Þ cannot be
batched since only C1 ¼ g is a constant.
Similarly, functions FZSS , FBB and predicates VZSS , VBB for
ZSS (Zhang et al., 2004), and BoneheBoyen (Boneh and Boyen,
2008) short signatures are described below.
� Function FZSS : ðParam;pk;m;sÞ1ðs; gH1ðmÞ$pk; g; gÞ.� Predicate VZSS : beðC1;C2Þ¼? beðC3;C4Þwith C1 ¼ s, C2 ¼ gH1
(m)$pk,
C3 ¼ g, C4 ¼ g.
� Function FBB : ðParam; ðpkX;pkYÞ;m; ðs1;s2ÞÞ1�s1; g
H1ðmÞ$pkX$pks2Y ; g; g
�
.
� Predicate VBB: beðC1;C2Þ¼? beðC3;C4Þ with C1 ¼ s1,
C2 ¼ gH1ðmÞ$pkX$pks2Y , C3 ¼ g, C4 ¼ g.
Table 2 e Complexity of the PVPC pairing delegationprotocol.
Communication overhead Overhead at the server
1 G element 1 pairing evaluation
Online Computation at the Client
1(n þ 1)-multi-EXP in G and 1(n þ 1)-multi-EXP in GT
i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 754
In bothZSS and BB, we have the evaluation of beðg; gÞwhich
is a constant independent of the signer’s public key or the
signature. The client can simply store it without re-computing
it every time. On the other hand, due to the lack of a PVPV
batch protocol, the degree of batching is limited. We can
define functions F0ZSS , F0
BB and predicates V0ZSS , V0
BB for ZSS(Zhang et al., 2004), and BoneheBoyen (Boneh and Boyen,
2008) as below. Note that we omit the exponent vi when it is
equal to 1 for brevity.
� Function F0ZSS : ðParam;pk;m;sÞ1ððg;H1ðmÞÞ;s;pk;s; g; gÞ.
� Predicate V0ZSS : beðCv1
1 ;C2ÞbeðC3;C4Þ¼? beðC5;C6Þ with C1 ¼ g,
v1 ¼ H1(m), C2 ¼ s, C3 ¼ pk, C4 ¼ s, C5 ¼ g, C6 ¼ g.
� Function F0BB : ðParam; ðpkX;pkYÞ;m; ðs1;s2ÞÞ1ððg;H1
ðmÞÞ;s1;pkX;s1;�pkY ;s2
�; s1; g; g
�.
� Predicate V0BB: beðCv1
1 ;C2ÞbeðC3;C4ÞbeðCv55 ;C6Þ¼? beðC7;C8Þ with
C1 ¼ g, v1 ¼ H1(m), C2 ¼ s1, C3 ¼ pkX, C4 ¼ s1, C5 ¼ pkY, v5 ¼ s2,
C6 ¼ s1, C7 ¼ g, C8 ¼ g.
However, verifying n signatures from the same signer
produced by ZSS or BB will require 2 or 3 times of pairing
computations (at the server side) respectively than the normal
approach. One may resort to non-batch protocol instead.
Comparison with Batch Signature Verification. The concepts of
using batch pairing delegation for verifying many signatures
and batch signature verification look almost the same at the
first glance. However, there are subtle differences. Batch ver-
ification often just returns a single bit which denotes whether
all the signatures are valid or there exists at least one which is
invalid. Extrameasures are thus needed to identify the invalid
signature(s) in batch verification. On the other hand, the
pairing values are not aggregated together in batch pairing
delegation, the client can get each of the pairing values. In
other words, the client is able to verify each of the signature
by simple equality checks (and possibly with exponentiations
in GT).
With respect to concrete instantiations available today, for
the case of batching the signatures from different n signers,
(n þ 1) pairing computations are needed by the batch verifier
for BLS proposed in Ferrara et al. (2009). In our approach, these
pairings are delegated, and the client only requires to do OðnÞexponentiations. In the batch verifier approach (Ferrara et al.,
2009), exponents used in verification are randomly chosen but
small, small random exponents may also be used in the batch
pairing delegation protocol (Tsang et al., 2007) since secrecy of
the points are not a concern here. Details on further opti-
mization can be found in Section 5.5.
Finally, we remark that these two approaches can be used
together, i.e., first identify what are the required pairing
computations in a batch verifier, then these computations can
still be delegated by using a pairing delegation protocol.
However, we are not aware of any batch verifier for ZSS or BB.
5.4. Our construction of SAV protocol for aggregatesignatures
For an aggregated signature s, a list of messages fmigni¼1 and
the public key list of the corresponding signers fpkigni¼1, we
define function F aggand predicate V to build a SAV protocol for
Boneh et al.’s aggregate signature (Boneh et al., 2003), fol-
lowing our generic protocol.
� Function
F agg : ðParam;pk1;.;pkn;m1;.;mn;sÞ1ðg; s;pk1;H0ðm1Þ;.;
pkn;H0ðmnÞÞ.� Predicate Vagg: beðC1;C2Þ¼?
Qni¼1beðC2iþ1;C2iþ2Þ with C1 ¼ g,
C2 ¼ s, C2iþ1 ¼ pki, C2iþ2 ¼ H0(mi) for i ¼ 1 to n.
The verifier engages in the pairing delegation protocol S
with the server and obtains the pairing values a0 ¼ beðg; sÞ andai ¼ beðpki;H0ðmiÞÞ for i¼ 1 to n. Finally, the verifier checks if the
predicate is true, that is, whether a0¼?Qn
i¼1ai. Again, we
remark that we are not aware of any protocol of type PVPV and
hence the delegation of these pairing computations cannot be
batched together. On the other hand, computation overhead
can be reduced further by batch delegation of pairing values
for the same signer.
5.5. Efficiency analysis
Complexity of the PVPC delegation protocol for n pairings is
summarized in Table 2. The single pairing value in the pre-
computation phase can be computed by a trusted party and
preloaded to the client. For online computation cost, the client
needs to compute an (n þ 1)-element multi-exponentiation in
G (a computation of the form ax11 /axnþ1
nþ1 ) in the request stage. In
the output stage, the client needs to compute an (n þ 1)-ele-
ment multi-exponentiation in GT.
We believe that these 2 (n þ 1)-element multi-
exponentiations are quite close to the minimum computa-
tion onemust be done. Exponentiation is the basic operation in
discrete-logarithm-based cryptography. When we want to
offer some “security” regarding n elements, intuitivelyweneed
n exponentiations to pre-process them and correspondingly
we need another n exponentiations to verify the results.
Moreover, note that n-element multi-exponentiation can
be performed significantly more efficiently than n different
simple exponentiations. According to the windows methods
in Dimitrov et al. (2000); Moller et al. (2001); Menezes et al.
(2001); Avanzi (2002), For simplicity, we assume multi-
plication and squaring have the same complexity, and we use
tm to denote the computational cost of one modular multi-
plication in group GT. Let [ ¼ jpj, the bit-length of the prime p
which is the order of the group GT. Setting [ ¼ 160 and the
window size w to be 1, the average costs of one exponentia-
tion, 2-element multi-exponentiation and 4-element multi-
exponentiation in GT are about t1xp ¼ 1:488[tm,
t2xp ¼ 1:739[tm, and t4xp ¼ 1:863[tm respectively. For n-element
multi-exponentiation, its cost increases with n and converges
Table 3e The speedup gained by using the PVPC protocolover computing the 100 pairings locally using differenttypes of curves as defined in the PBC library.
Curve Type-A Type-A1 Type-D225
Speedup 2.20 3.23 1.48
Curve Type-E Type-F Type-G
Speedup 3.60 6.73 2.04
i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 55
to tnxp ¼ 1:988[tm when n reaches 15. We obtain these figures
from Avanzi (2002) [Theorem 3.4].
For communication, instead of sending (n þ 1)elements,
only 1 additional element in G (namely, B0) is sent. From the
server to the client, only 1 additional GT element is returned.
Again, we believe that these 2 additional elements are quite
close to the minimum communication overhead required by
a secure SAV protocol, and are also quite affordable by the
transmission power of a mobile device.
For the computation at the server side, instead of com-
puting n pairings as usual, it only requires to compute (nþ 1) of
them instead. The computational overhead at the server is
just 1 pairing computation, which is quite minimal. At the
client side, it has been shown (Tsang et al., 2007) that using
PVPC delegation protocol to delegate the computation of n
pairings, instead of evaluating them locally, is more efficient
for all six types of curves defined in the PBC Library.4 The re-
sults are quoted in Table 3.
Further Optimization. There are various standard opti-
mization tricks which can be applied. One trick we have
applied is the fact that n-elementmulti-exponentiation can be
performed significantly more efficiently than n different sim-
ple exponentiations. One may also consider using small ex-
ponents {bi} in the PVPC protocol. However, at least one of
them should be chosen from a large domain. Otherwise an
adversary may guess the hidden ~Q correctly with non-
negligible probability and hence break the protocol.
5.6. Security analysis
Security Properties of Pairing Delegation. Two security re-
quirements of pairing delegation protocol include complete-
ness and correctness. Informally, completeness means that
theclient canobtain thecorrect valuesafter interactingwithan
honest server; andcorrectnessmeans that the client candetect
(with high probability) when the computation results returned
by the server consists of a wrong value, nomatter whether the
error is introduced deliberately or not. To fit with the wording
in the SAVparadigm,we call the latter requirement soundness
in this paper. The formal definitions are given in B.
Regarding the use of pairing delegation protocols in con-
structing SAV protocols, one may worry that they seem to be
considering different scenarios and may not be compatible.
Specifically, pairing delegation is for two-party and SAV is
executed in a three-party environment. There is a possible
security concern that the signer (who sends messages to the
verifier) and the server (the delegatee in the delegation pro-
tocol) might collude to deceive the verifier (the client, the
delegator). We stress that, the security properties of pairing
delegation protocol hold for all possible input, i.e., the mes-
sage sent from the signer to the verifier. In particular, it covers
the case where the messages the delegator received might be
manipulated by the delegatee.
Security of Our Protocol. Existential unforgeability follows
from the completeness of S and the unforgeability of the
underlying signature scheme with the help of Theorem 1. In
the class of signature schemes we consider, whether a forgery
is valid or not is determined by a predicate which only
4 http://crypto.stanford.edu/pbc.
involves comparison of two products of different pairing
values. If a forgery passes the verification algorithm of the
underlying signature, i.e., it satisfies the predicate determined
by the verification algorithm, by the completeness of S, the
delegated predicatewill evaluate to the same value, and hence
the forgery will pass (an honest execution of) AidedVerify.
Soundness of our protocol follows from the soundness of
S. If the delegated evaluation of the predicate and its direct
evaluation mismatch, there must exist one wrongly-
computed pairing value that is undetected by the client,
which breaks the soundness of S. This can always be identi-
fied by simply recomputing all the pairings involved which
can be done in a polynomial time. This completes our reduc-
tionist proof. A more detailed proof is presented in A.
6. Conclusion
Nowadays, there are many computation devices with rela-
tively limited power, e.g., smart card, RFID tag, but need to
perform cryptographic operations which are both time and
power consuming. Server-aided computation protocols are
particularly useful since these devices often have access to
a more powerful device which can act as the server.
However, we found that the existing security models are
unsatisfactory, and two existing schemes are insecure against
a realistic form of attack which involves a collusion of a signer
and the server. We propose a new security model to capture
this attack and discuss the intuition behind variousmodelling
issues. Finally, we provide a generic construction of SAV
which is applicable on a wide class of pairing-based crypto-
systems. In particular, various short signatures schemes
(Boneh et al., 2004a,b, 2003; Boneh and Shacham, 2004; Boyen,
2007; Camenisch et al., 2007; Cha and Cheon, 2003; Chow et al.,
2005; Hess et al., 2002; Lu et al., 2006; Shao et al., 2005; Waters,
2005); and many other pairing-based cryptographic schemes
(Chow et al., 2006; Chow et al., 2008, 2012a,b; Chow, 2010) are
covered by our construction.
Finally, we note that the existing batch pairing delegation
protocol only supports the pairing of a constant with a list of
points. Considering the wide applicability of pairing in cryp-
tography, it is a very interesting problem to devise a batch
pairing delegation protocol which computes arbitrary pairings
of two lists of variable points.
Appendix A. Security analysis of our genericconstruction of SAV protocol
Let Sig be a pairing-based signature secure against existential
forgery under adaptive chosen message attack (Goldwasser
5 We remark that there is another requirement in Tsang et al.(2007) regarding secrecy of the point based on the notion ofsimulatability. This is not relevant in our discussion and hence isomitted.
i n f o rma t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 756
et al., 1998) withF : ðParam;pk;m; sÞ1fCigi˛½1;n� as the scheme-
specific function and V be the predicateQði;jÞ˛X beðCi;CjÞ¼?
Qðk;lÞ˛YbeðCk;ClÞ for some subsets X ;Y4
f1;/; ng � f1;/; ng as the verification equation of Sig as dis-
cussed in Section 5.
We construct a simulator S that breaks the completeness
of the delegation of pairing computation S or the EUF-CMA
security of Sig (Goldwasser et al., 1998) if there exists
an adversary A that can win in the game described in
Definition 5.
Proof.. Setup: S receives pk as the challenge public key of Sig.
VString is an empty string in our choice of pairing delegation
protocol as the verification parameter is included in pk. S gives
pk to A.
Query: For each OSign query with input m from A, S re-
sponds with the answer from it signing oracle. S addsm to the
set M. For each OAidedVer query with input (m,s), S follows
the the specification of S as server honestly.
Output: Finally, A outputs a message/signature pair (m*,s*)
such that m*;M. S invokes F to obtain {Ci}and verifies the
signaturewith predicate V. If s* is a valid signature onmessage
m*, S returns (m*,s*) as the forgery to the original signature
scheme Sig.
On the other hand, suppose (m*,s*) is not a valid signature,
there exists indexes i,j,k,l and a pairing comparison in predi-
cate V such that beðCi;CjÞsbeðCk;ClÞ and that
SðCi;CjÞ ¼ SðCk;ClÞ. Here SðA;BÞ denotes the output of the
client after interacting with the server in the pairing-
delegation protocol S for the computation of pairing of
points A and B. In this case, S has successfully broken the
completeness of S.
Likewise, we construct a simulator S that breaks the cor-
rectness of the delegation of pairing computation Sif there
exists an adversary A that can win in the game described in
Definition 8.
Proof. Setup: S generates the key pairs (pk,sk) of Sig. VString
is an empty string in our choice of pairing delegation protocol
as the verification parameter is included in pk. S gives (pk,sk)
to A.
Query: For each OAidedVer query with input (m,s), S fol-
lows the the specification of S as server honestly.
Output: Finally, A outputs a message/signature pair (m*,s*)
such that m�;M. S invokes F to obtain {Ci}and verifies the
signature with predicate V.If s* is a valid signature on message m*, that is, b0 ¼ 1. This
implies the set {Ci}satisfies the predicate V. Thus, A wins the
game if and only if there exists indexes i,j,k,land a pairing
comparison in predicate V such that beðCi;CjÞ ¼ beðCk;ClÞ and
that SðCi;CjÞsSðCk;ClÞOn the other hand, suppose (m*,s*) is not a valid sig-
nature, that is, b0 ¼ 0. This implies the set {Ci} does not
satisfy the predicate V. Thus, A wins the game if and only if
there exists indexes i,j,k,l and a pairing comparison in
predicate V such that beðCi;CjÞsbeðCk;ClÞ and that
SðCi;CjÞ ¼ SðCk;ClÞ. In both cases, S has successfully broken
the correctness of S.
Appendix B. Secure (batch) pairing delegation
The security requirements of batch delegation protocols for
asymmetric pairings (Tsang et al., 2007), in which one of the
points is a constant, are reviewed as follow.5 Let A˛G1 be
the constant point, and B1, ., Bn˛G2 be the variable points to
be paired up with A. The protocol’s goal is to compute
fbeðA;BiÞ : i˛f1;.;ngg.Let R and ε be two probabilistic polynomial time (PPT) al-
gorithms modelling the Delegator and the Delegatee respec-
tively. Finally, BDHðlÞ denotes an instance generator for
groups G1;G2;GT with prime orders roughly equal to 2l and
a pairing function be : G1 �G2/GT. Desired properties of
a batch delegation protocols for pairings include:
� Completeness. The Delegator R obtains fbeðA;BiÞ : i˛f1;.;nggafter interacting with an honest Delegatee ε.
� Correctness. The Delegator R can detect (with non-
negligible probability) when the Delegatee ε is cheating
(i.e. the final result leads to a wrong value).
Gamecorrε
ðlÞParam)ðG1;G2;GT; eÞ)R BDHðlÞðt1; t2;.; tnÞ)R RðParam;A;B1;.;BnÞ4EðParam;A;B1;.;BnÞ;ifðdi˛f1;.;ng; ðtisbeðA;BiÞÞÞreturn 0; else return1;
The protocol is correct if the probability thatGamecorrE ðlÞ ¼ 1,
for all Param generated by BDH, for all (A,B1,.,Bn), and for all
PPT adversary ε(that may deviate from the protocol in arbi-
trary way), over the random coins of all algorithms, is non-
negligible in l.
This intuition behind this game is that, for any cheating
Delegatee ε and for any (A,{Bi}:i˛{1,.,n}}), the Delegator Routputs either fbeðA;BiÞ : i˛f1;.;nggor t, denoting invalid,
exceptwith negligible probability, even ðA; fBig : i˛f1;.;nggÞisgiven to the cheating Delegatee ε.
r e f e r e n c e s
Au MH, Susilo W, Mu Y, Chow SSM. Constant-size dynamick-times anonymous authentication. IEEE Syst J 2013.
Avanzi RM. On multi-exponentiation in cryptography. CryptologyePrint Archive, Report 2002/154; 2002.
Bellare M, Garay JA, Rabin T. Fast batch verification for modularexponentiation and digital signatures. In: Nyberg K, editor.Eurocrypt. Lecture Notes in Computer Science, vol. 1403.Springer; 1998. p. 236e50.
Boneh D, Boyen X. Short signatures without random oracles andthe SDH assumption in bilinear groups. J Cryptol 2008;21(2):149e77.
Boneh D, Boyen X, Shacham H. Short group signatures. In:Franklin MK, editor. CRYPTO. Lecture Notes in ComputerScience, vol. 3152. Springer; 2004. p. 41e55.
i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 7 ( 2 0 1 3 ) 4 6e5 7 57
Boneh D, Franklin MK. Identity-based encryption from the Weilpairing. SIAM J Comput 2003;32(3):586e615.
Boneh D, Gentry C, Lynn B, Shacham H. Aggregate and verifiablyencrypted signatures from bilinear maps. In: Biham E, editor.Eurocrypt. Lecture Notes in Computer Science, vol. 2656.Springer; 2003. p. 416e32.
Boneh D, Gentry C, Waters B. Collusion resistant broadcastencryption with short ciphertexts and private keys. In:Shoup V, editor. CRYPTO. Lecture Notes in Computer Science,vol. 3621. Springer; 2005. p. 258e75.
Boneh D, Lynn B, Shacham H. Short signatures from the Weilpairing. J Cryptol 2004b;17(4):297e319.
Boneh D, Shacham H. Group signatures with verifier-localrevocation. In: Atluri V, Pfitzmann B, McDaniel PD, editors.ACM conference on computer and communications security.ACM; 2004. p. 168e77.
Boyen X. Mesh signatures. In: Naor M, editor. EUROCRYPT.Lecture Notes in Computer Science, vol. 4515. Springer; 2007.p. 210e27.
Camenisch J, Hohenberger S, Pedersen MØ. Batch verification ofshort signatures. In: Naor M, editor. EUROCRYPT. Lecture Notesin Computer Science, vol. 4515. Springer; 2007. p. 246e63.
Camenisch J, Lysyanskaya A. Signature schemes and anonymouscredentials from bilinear maps. In: Franklin MK, editor.CRYPTO. Lecture Notes in Computer Science, vol. 3152.Springer; 2004. p. 56e72.
Cha JC, Cheon JH. An identity-based signature from Gap Diffie-Hellman groups. In: Desmedt Y, editor. Public keycryptography. Lecture Notes in Computer Science, vol. 2567.Springer; 2003. p. 18e30.
Chaum D. Designated confirmer signatures. In: Santis AD, editor.Eurocrypt. Lecture Notes in Computer Science, vol. 950.Springer; 1994. p. 86e91.
Chaum D, Antwerpen HV. Undeniable signatures. In: Brassard G,editor. Crypto. Lecture Notes in Computer Science, vol. 435.Springer; 1989. p. 212e6.
Chevallier-Mames B, Coron J-S, McCullagh N, Naccache D,Scott M. Secure delegation of elliptic-curve pairing. In:Gollmann D, Lanet J-L, Iguchi-Cartigny J, editors. CARDIS.Lecture Notes in Computer Science, vol. 6035. Springer. p.24e35. Also available at: http://eprint.iacr.org/2005/150; 2010.
Chow SSM. New privacy-preserving architectures for identity-/attribute-based encryption. Ph.D. thesis, New York University;2010.
Chow SSM, Boyd C, Nieto JMG. Security-mediated certificatelesscryptography. In: Yung M, Dodis Y, Kiayias A, Malkin T,editors. Public key cryptography. Lecture Notes in ComputerScience, vol. 3958. Springer; 2006. p. 508e24.
Chow SSM, Chu C-K, Huang X, Zhou J, Deng RH. Dynamic securecloud storage with provenance. In: Naccache D, editor.Cryptography and security. Lecture Notes in ComputerScience, vol. 6805. Springer; 2012a. p. 442e64.
Chow SSM, Haralambiev K. Non-interactive confirmer signatures.In: Kiayias A, editor. CT-RSA. Lecture Notes in ComputerScience, vol. 6558. Springer; 2011. p. 49e64.
Chow SSM, He YJ, Hui LCK, Yiu SM. SPICE e Simple Privacy-Preserving Identity-Management for Cloud Environment. In:Bao F, Samarati P, Zhou J, editors. ACNS. Lecture Notes inComputer Science, vol. 7341. Springer; 2012b. p. 526e43.
Chow SSM, Liu JK, Zhou J. Identity-based online/offline keyencapsulation and encryption. In: Sandhu R, Wong DS,Cheung B, Hui LCK, editors. ASIACCS. ACM; 2011. p. 52e60.
Chow SSM, Roth V, Rieffel EG. General certificateless encryptionand timed-release encryption. In: Ostrovsky R, Prisco RD,Visconti I, editors. SCN. Lecture Notes in Computer Science,vol. 5229. Springer; 2008. p. 126e43.
Chow SSM, Yiu S-M, Hui LCK. Efficient identity based ringsignature. In: Ioannidis J, Keromytis AD, Yung M, editors.
ACNS. Lecture Notes in Computer Science, vol. 3531; 2005. p.499e512.
Chu C-K, Zhu WT, Chow SSM, Zhou J, Deng RH. Secure mobilesubscription of sensor-encrypted data. In: Sandhu R,Wong DS, Cheung B, Hui LCK, editors. ASIACCS. ACM; 2011.p. 228e37.
Delerablee C. Identity-based broadcast encryption with constantsize Ciphertexts and private keys. In: Kurosawa K, editor.ASIACRYPT. Lecture Notes in Computer Science, vol. 4833.Springer; 2007. p. 200e15.
Dimitrov VS, Jullien GA, Miller WC. Complexity and fastalgorithms for multiexponentiations. IEEE Trans Comput 2000;49(2):141e7.
Ferrara AL, Green M, Hohenberger S, Pedersen MØ. Practical shortsignature batch verification. In: Fischlin M, editor. CT-RSA.Lecture Notes in Computer Science, vol. 5473. Springer; 2009.p. 309e24.
Girault M, Lefranc D. Server-aided verification: theory andpractice. In: Roy BK, editor. ASIACRYPT. Lecture Notes inComputer Science, vol. 3788. Springer; 2005. p. 605e23.
Goldwasser S, Micali S, Rivest R. A digital signature schemesecure against adaptive chosen-message attacks. SIAM JComput 1998;17(2):281e308.
Hess F. Efficient identity based signature schemes based onpairings. In: Nyberg K, Heys HM, editors. Selected areas incryptography. Lecture Notes in Computer Science, vol. 2595.Springer; 2002. p. 310e24.
Kang BG, Lee MS, Park JH. Efficient delegation of pairingcomputation. Cryptology ePrint Archive, Report 2005/259;2005.
Laguillaumie F, Vergnaud D. Short undeniable signatures withoutrandom oracles: the missing link. In: Maitra S, Madhavan CEV,Venkatesan R, editors. Indocrypt. Lecture Notes in ComputerScience, vol. 3797. Springer; 2005. p. 283e96.
Lu S, Ostrovsky R, Sahai A, Shacham H, Waters B. Sequentialaggregate signatures and multisignatures without randomoracles. In: Vaudenay S, editor. EUROCRYPT. Lecture Notes inComputer Science, vol. 4004. Springer; 2006. p. 465e85.
Menezes AJ, van Oorschot PC, Vanstone SA. Handbook of appliedcryptography. CRC Press; 2001.
Moller B. Algorithms for multi-exponentiation. In: Vaudenay S,Youssef AM, editors. Selected areas in cryptography. LectureNotes in Computer Science, vol. 2259. Springer; 2001. p. 165e80.
Sahai A, Waters B. Fuzzy identity-based encryption. In: Cramer R,editor. EUROCRYPT. Lecture Notes in Computer Science,vol. 3494. Springer; 2005. p. 457e73.
Shao Z. Enhanced aggregate signatures from pairings. In: Feng D,Lin D, Yung M, editors. CISC. Lecture Notes in ComputerScience, vol. 3822. Springer; 2005. p. 140e9.
Tsang PP, Chow SSM, Smith SW. Batch pairing delegation. In:Miyaji A, Kikuchi H, Rannenberg K, editors. IWSEC. LectureNotes in Computer Science, vol. 4752. Springer; 2007. p. 74e90.
Wang Z, Wang L, Yang Y, Hu Z. Comment on Wu et al.’s server-aided verification signature schemes. Int J Netw Security 2010;10(2):158e60.
Waters B. Efficient identity-based encryption without randomoracles. In: Cramer R, editor. EUROCRYPT. Lecture Notes inComputer Science, vol. 3494. Springer; 2005. p. 114e27.
Wu W, Mu Y, Susilo W, Huang X. Server-aided verificationsignatures: definitions and new constructions. In: Baek J,Bao F, Chen K, Lai X, editors. ProvSec. Lecture Notes inComputer Science, vol. 5324. Springer; 2008. p. 141e55.
Wu W, Mu Y, Susilo W, Huang X. Provably secure server-aidedverification signatures. Comput Math Appl 2011;61(7):1705e23.
Zhang F, Safavi-Naini R, Susilo W. An efficient signature schemefrom bilinear pairings and its applications. In: Bao F, Deng RH,Zhou J, editors. Public key cryptography. Lecture Notes inComputer Science, vol. 2947. Springer; 2004. p. 277e90.